Software. Microcontrollers. Beer.

Up and Running With Bless and Enforced MFA - Part 2

Part 2 of deploying Bless will focus on enforcing MFA and using Lyft’s client.

The problem at this point is that anyone in the ops group can bounce without MFA enforced. We can set up the lyft client, which enforces MFA, but if we dont make other changes, there’s no enforcement of MFA. ie you can still call the netflix client and bounce right in.

The other issue is that Netflix’s bless holds true the idea of a bastion host. In-house, we have IPSec tunnels from our VPC’s to our internal network, so I dont need to bounce through a bastion. So I want anyone to be able to bounce, given that they have permissions (ops) and they used MFA. Lyft’s doesn’t enforce the bastion concept, which is nice.

Prerequisites

In the IAM console in AWS, enable an MFA device for your user.

Setting up the client

I wrote a wrapper to simplify this. Feel free to not like it, but I put this in my ~/.bash_aliases to make it easier: